SAML Encryption Certificate - Can’t Select Public Cert Only

[jkman340]

Describe the bug

When enabling encryption in a SAML provider, only certificates with a private key available are listed. According to the Authentik docs:

An encryption certificate is a public key certificate used by authentik to encrypt sensitive data in SAML assertions before sending them to an SP. This ensures that sensitive data within the assertion, such as user attributes and authentication details, remain confidential and can only be decrypted by the SP possessing the corresponding private key.

You should be able to select certificates defined without the private key specified. Only the SP needs to have the private key for decryption.

How to reproduce

Creates SAML provider and attempt to select an encryption certificate.

Expected behavior

Can select certificates without private keys associated.

Screenshots

No response

Additional context

No response

Deployment Method

Docker

Version

2025.10

Relevant log output

[jkman340]

I did some more testing. I created a cert that included the private key for now to get around the web issue. However, when I do that, the signature fails to validate on the SP Side. I found #14098 which seems similar to what i'm seeing. If I disable the signature verification on the SP side encryption is working.

I'm not sure if this will be fixed by the web patch above or cause more issues.

[PeshekDotDev]

@jkman340 What SP are you integrating with when you test this?

[jkman340]

I’m using Mattermost as the SP

[PeshekDotDev]

Okay. Pretty sure there are 2 bugs happening side by side

1. Selecting and loading an encryption cert requires having a private key saved alongside it

2. We accidentally malform the saml when we encrypt. I found a similar error with another SP.

The PR I made fixes problem 1. I am working on problem 2 and will test it against mattermost and make a PR soon

[jkman340]

Thank you for the update!